Audit Trail

The audit trail contains binary audit files. The trail is created by the
audit_binfile plugin. The audit service is responsible for collecting the audit trail
records and sending them to the plugin, which writes them to disk.

The audit records are stored in binary format on file systems that
are dedicated to audit files. Even though you can physically locate audit
directories within file systems that are not dedicated to auditing, do not
do so except for directories of last resort. Directories of last resort are
directories where audit files are written only when no other suitable directory
is available.

There is one other scenario where locating audit directories outside of dedicated
audit file systems could be acceptable. You might do so in a
software development environment where auditing is optional. To make full use of
disk space might be more important than to keep an audit trail. However,
in a security-conscious environment, the placement of audit directories within other file
systems is not acceptable.

You should also consider the following factors when administering audit file systems:

A host should have at least one local audit directory. The local directory can be used as a directory of last resort if the host is unable to communicate with the audit server.

Mount audit directories with the read-write (rw) option. When you mount audit directories remotely, also use the intr and noac options.

Protect the mount point by setting devices=off, exec=off and setuid=off.

List the file systems on the audit server where they reside. The export list should include all systems that are being audited at the site.